Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
Resource
win10v2004-20220901-en
General
-
Target
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
-
Size
1.0MB
-
MD5
90be4a2dc439e31bc2d16fd67ccdba15
-
SHA1
77f63baa6a331828f2a056d71b1f8719e91e0e15
-
SHA256
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1
-
SHA512
5bd6c6431402552f5fe854379feb9168777a3b48c352747d5e3b30acf0d7998be597295158d9845e43b730ee612e4ddc4e6d99b0cdfa5eb122e28992ea2b296c
-
SSDEEP
24576:dZ8kT+HGGZYVi5svzlWs18WCf0EAAPb8YljYcHHMf8/:T8s+g4W71KAyIsYosf8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Minidump\\winupdate.exe" a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\Minidump\\winupdate.exe" a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\Minidump\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1492 set thread context of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1688 set thread context of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1648 set thread context of 288 1648 explorer.exe 30 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Minidump\winupdate.exe a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe File opened for modification C:\Windows\Minidump\winupdate.exe a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe File opened for modification C:\Windows\Minidump\ a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe File created C:\Windows\Minidump\winupdate.exe notepad.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSecurityPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeTakeOwnershipPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeLoadDriverPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemProfilePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemtimePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeProfSingleProcessPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeIncBasePriorityPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeCreatePagefilePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeBackupPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeRestorePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeShutdownPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeDebugPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemEnvironmentPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeChangeNotifyPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeRemoteShutdownPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeUndockPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeManageVolumePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeImpersonatePrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeCreateGlobalPrivilege 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 33 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 34 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 35 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeIncreaseQuotaPrivilege 288 explorer.exe Token: SeSecurityPrivilege 288 explorer.exe Token: SeTakeOwnershipPrivilege 288 explorer.exe Token: SeLoadDriverPrivilege 288 explorer.exe Token: SeSystemProfilePrivilege 288 explorer.exe Token: SeSystemtimePrivilege 288 explorer.exe Token: SeProfSingleProcessPrivilege 288 explorer.exe Token: SeIncBasePriorityPrivilege 288 explorer.exe Token: SeCreatePagefilePrivilege 288 explorer.exe Token: SeBackupPrivilege 288 explorer.exe Token: SeRestorePrivilege 288 explorer.exe Token: SeShutdownPrivilege 288 explorer.exe Token: SeDebugPrivilege 288 explorer.exe Token: SeSystemEnvironmentPrivilege 288 explorer.exe Token: SeChangeNotifyPrivilege 288 explorer.exe Token: SeRemoteShutdownPrivilege 288 explorer.exe Token: SeUndockPrivilege 288 explorer.exe Token: SeManageVolumePrivilege 288 explorer.exe Token: SeImpersonatePrivilege 288 explorer.exe Token: SeCreateGlobalPrivilege 288 explorer.exe Token: 33 288 explorer.exe Token: 34 288 explorer.exe Token: 35 288 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 1648 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1492 wrote to memory of 1688 1492 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 27 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 540 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 28 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1688 wrote to memory of 1648 1688 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 29 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30 PID 1648 wrote to memory of 288 1648 explorer.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe"C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exeC:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:540
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
-